Navigating the murky waters of data abuse

When discussing data abuse, the first things that come to mind are data breaches or leaks. However, it’s important to note that data privacy and security are related but not interchangeable. Data breaches are easier to detect, and during the pandemic, Interpol noted a surge in cybercrime and data theft across Southeast Asia.

It is no surprise that IDC’s findings indicate that spending on security-related products in the Asia-Pacific has been increasing every year and is projected to reach US$39 billion by 2025. However, while improving data security is always a good idea, it only scratches the surface of data privacy abuse. The same tools that are used to combat hacks cannot be applied to protect data privacy.

Fortunately, data privacy has gained greater attention recently with regulators and technology companies pushing privacy measures for end consumers. However, there is still much work to be done. Adoption rates for data privacy have varied in Southeast Asia, with some countries having already passed data privacy laws, while other regional regulators are only just now establishing guidelines in 2023. This has caused uncertainty for businesses in the region regarding best practices, compliance, and government enforcement.

This gap in regulations has allowed companies to independently determine what is best for their business at the expense of their customers’ privacy needs. Additionally, the lack of clarity in data privacy compliance stems from the region’s failure to quickly re-skill and upskill employees to meet the demands of data protection talent, as reported by AT Kearney.

Privacy is trust

Data privacy is the governance of users’ personal identifiable information (PII), as well as its data collection, exchange, and transaction online. Secure handling of this data helps build consumer confidence in a brand or organisation. Today, data on every visit, click, or online activity is being captured, mined, and used by organisations, retailers, and technology vendors to deliver personalised campaigns to target consumers. This data is usually utilised by site owners for marketing purposes. Customers are increasingly aware of the potential for abuse of their data and are savvy enough to define their own privacy settings when browsing the web.

Taking it a step further, today, customers are already voting for privacy with their wallets by choosing to shop with businesses that value customer data privacy. With data transfers happening at lightning speed, customers need to be able to trust corporations with personal information, including banking and geographical data. Erosion of that trust means having that customer walk out the digital door, never to return.

Not every business upholds privacy

The heart of the problem is the practice of businesses abusing the data collected from consumers. In Europe, the General Data Protection Regulation (GDPR) and ePrivacy Directive mandate that businesses obtain consent from users before using any cookies, which are small pieces of data stored on web browsers, except those that are necessary for website functionality. However, a similar standard and regional protocol is not currently in place in Southeast Asia. This means that businesses in the region lack a comprehensive framework for managing cookies, online visitor tracking, and handling PII.

Today, the ability to collect and leverage data provides a competitive edge. However, handling personal data also makes businesses vulnerable to data privacy breaches, particularly if they lack knowledge of best security practices. While government bodies like the Monetary Authority of Singapore and Bank Negara Malaysia have established privacy rules for banks and financial institutions, the private sector needs better organisation, or they risk permanently losing the trust of customers. As more businesses adopt SaaS vendors for their business solutions, it is critical to ensure that the vendor values the privacy of your business data.

Enterprises should also prepare for a post-cookie digital world by adopting pro-consumer privacy policies and safeguarding consumer data with privacy technologies. By championing customer privacy, businesses gain the trust and confidence of an increasingly digitally savvy audience.

Vendor chain leaks can affect your privacy posture

With more businesses turning to SaaS vendors for business solutions, it is important to ensure that your vendor values the privacy of your business data. Businesses need to closely examine the privacy policy for all members in their chain of dependent services to ensure that they are compliant with any privacy pledges made to the end users.

Data-handling aside, consequently, as it becomes common for businesses to turn to various vendors for their business application needs, it is an increasing risk that a leak or a breach may be with a third party provider. This is a risk that businesses have to be aware of and conduct regular reviews with service providers to ensure business and consumer data is appropriately safeguarded. This should be a rigorous part of the business process and not to be taken for granted.

Keeping customers safe by first keeping employees safe

Apart from looking outside the organisation, business owners should also consider prevention by keeping their own employees safe from data leaks. Security tools, login authentications, VPNs, appropriate business application usage patterns, and encryption solutions can help enterprises protect customer data especially as companies increasingly manage distributed teams and embrace a hybrid work model. The use of clean rooms, differential privacy, and encryption protocols will also take centre stage as privacy becomes a bigger concern among consumers.

As ideas on consent and data privacy evolve and create a domino effect across Southeast Asia, businesses need to go beyond digital transformation to an ideological transformation in the way they treat customer data and how they use it for business. Challenges are always a welcome opportunity for enterprises to organise themselves and course correct through proactive policy making. They should ensure that efforts are made to safeguard user privacy continually, before the regulations come into force in the region.